secrets_test.go

Documentation: k8s.io/kubernetes/pkg/credentialprovider/secrets

     1  /*
     2  Copyright 2020 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package secrets
    18  
    19  import (
    20  	"reflect"
    21  	"testing"
    22  
    23  	"k8s.io/api/core/v1"
    24  	"k8s.io/kubernetes/pkg/credentialprovider"
    25  )
    26  
    27  // fakeKeyring is a fake docker auth config keyring
    28  type fakeKeyring struct {
    29  	auth []credentialprovider.AuthConfig
    30  	ok   bool
    31  }
    32  
    33  // Lookup implements the DockerKeyring method for fetching credentials based on image name.
    34  // Returns fake results based on the auth and ok fields in fakeKeyring
    35  func (f *fakeKeyring) Lookup(image string) ([]credentialprovider.AuthConfig, bool) {
    36  	return f.auth, f.ok
    37  }
    38  
    39  func Test_MakeDockerKeyring(t *testing.T) {
    40  	testcases := []struct {
    41  		name           string
    42  		image          string
    43  		defaultKeyring credentialprovider.DockerKeyring
    44  		pullSecrets    []v1.Secret
    45  		authConfigs    []credentialprovider.AuthConfig
    46  		found          bool
    47  	}{
    48  		{
    49  			name:           "with .dockerconfigjson and auth field",
    50  			image:          "test.registry.io",
    51  			defaultKeyring: &fakeKeyring{},
    52  			pullSecrets: []v1.Secret{
    53  				{
    54  					Type: v1.SecretTypeDockerConfigJson,
    55  					Data: map[string][]byte{
    56  						v1.DockerConfigJsonKey: []byte(`{"auths": {"test.registry.io": {"auth": "dXNlcjpwYXNzd29yZA=="}}}`),
    57  					},
    58  				},
    59  			},
    60  			authConfigs: []credentialprovider.AuthConfig{
    61  				{
    62  					Username: "user",
    63  					Password: "password",
    64  				},
    65  			},
    66  			found: true,
    67  		},
    68  		{
    69  			name:           "with .dockerconfig and auth field",
    70  			image:          "test.registry.io",
    71  			defaultKeyring: &fakeKeyring{},
    72  			pullSecrets: []v1.Secret{
    73  				{
    74  					Type: v1.SecretTypeDockercfg,
    75  					Data: map[string][]byte{
    76  						v1.DockerConfigKey: []byte(`{"test.registry.io": {"auth": "dXNlcjpwYXNzd29yZA=="}}`),
    77  					},
    78  				},
    79  			},
    80  			authConfigs: []credentialprovider.AuthConfig{
    81  				{
    82  					Username: "user",
    83  					Password: "password",
    84  				},
    85  			},
    86  			found: true,
    87  		},
    88  		{
    89  			name:           "with .dockerconfigjson and username/password fields",
    90  			image:          "test.registry.io",
    91  			defaultKeyring: &fakeKeyring{},
    92  			pullSecrets: []v1.Secret{
    93  				{
    94  					Type: v1.SecretTypeDockerConfigJson,
    95  					Data: map[string][]byte{
    96  						v1.DockerConfigJsonKey: []byte(`{"auths": {"test.registry.io": {"username": "user", "password": "password"}}}`),
    97  					},
    98  				},
    99  			},
   100  			authConfigs: []credentialprovider.AuthConfig{
   101  				{
   102  					Username: "user",
   103  					Password: "password",
   104  				},
   105  			},
   106  			found: true,
   107  		},
   108  		{
   109  			name:           "with .dockerconfig and username/password fields",
   110  			image:          "test.registry.io",
   111  			defaultKeyring: &fakeKeyring{},
   112  			pullSecrets: []v1.Secret{
   113  				{
   114  					Type: v1.SecretTypeDockercfg,
   115  					Data: map[string][]byte{
   116  						v1.DockerConfigKey: []byte(`{"test.registry.io": {"username": "user", "password": "password"}}`),
   117  					},
   118  				},
   119  			},
   120  			authConfigs: []credentialprovider.AuthConfig{
   121  				{
   122  					Username: "user",
   123  					Password: "password",
   124  				},
   125  			},
   126  			found: true,
   127  		},
   128  		{
   129  			name:           "with .dockerconfigjson but with wrong Secret Type",
   130  			image:          "test.registry.io",
   131  			defaultKeyring: &fakeKeyring{},
   132  			pullSecrets: []v1.Secret{
   133  				{
   134  					Type: v1.SecretTypeDockercfg,
   135  					Data: map[string][]byte{
   136  						v1.DockerConfigJsonKey: []byte(`{"auths": {"test.registry.io": {"auth": "dXNlcjpwYXNzd29yZA=="}}}`),
   137  					},
   138  				},
   139  			},
   140  			authConfigs: nil,
   141  			found:       false,
   142  		},
   143  		{
   144  			name:           "with .dockerconfig but with wrong Secret Type",
   145  			image:          "test.registry.io",
   146  			defaultKeyring: &fakeKeyring{},
   147  			pullSecrets: []v1.Secret{
   148  				{
   149  					Type: v1.SecretTypeDockerConfigJson,
   150  					Data: map[string][]byte{
   151  						v1.DockerConfigKey: []byte(`{"test.registry.io": {"auth": "dXNlcjpwYXNzd29yZA=="}}`),
   152  					},
   153  				},
   154  			},
   155  			authConfigs: nil,
   156  			found:       false,
   157  		},
   158  		{
   159  			name:  "with not matcing .dockerconfigjson and default keyring",
   160  			image: "test.registry.io",
   161  			defaultKeyring: &fakeKeyring{
   162  				auth: []credentialprovider.AuthConfig{
   163  					{
   164  						Username: "default-user",
   165  						Password: "default-password",
   166  					},
   167  				},
   168  			},
   169  			pullSecrets: []v1.Secret{
   170  				{
   171  					Type: v1.SecretTypeDockerConfigJson,
   172  					Data: map[string][]byte{
   173  						v1.DockerConfigJsonKey: []byte(`{"auths": {"foobar.io": {"auth": "dXNlcjpwYXNzd29yZA=="}}}`),
   174  					},
   175  				},
   176  			},
   177  			authConfigs: []credentialprovider.AuthConfig{
   178  				{
   179  					Username: "default-user",
   180  					Password: "default-password",
   181  				},
   182  			},
   183  			found: true,
   184  		},
   185  		{
   186  			name:  "with not matching .dockerconfig and default keyring",
   187  			image: "test.registry.io",
   188  			defaultKeyring: &fakeKeyring{
   189  				auth: []credentialprovider.AuthConfig{
   190  					{
   191  						Username: "default-user",
   192  						Password: "default-password",
   193  					},
   194  				},
   195  			},
   196  			pullSecrets: []v1.Secret{
   197  				{
   198  					Type: v1.SecretTypeDockercfg,
   199  					Data: map[string][]byte{
   200  						v1.DockerConfigKey: []byte(`{"foobar.io": {"auth": "dXNlcjpwYXNzd29yZA=="}}`),
   201  					},
   202  				},
   203  			},
   204  			authConfigs: []credentialprovider.AuthConfig{
   205  				{
   206  					Username: "default-user",
   207  					Password: "default-password",
   208  				},
   209  			},
   210  			found: true,
   211  		},
   212  		{
   213  			name:  "with no pull secrets but has default keyring",
   214  			image: "test.registry.io",
   215  			defaultKeyring: &fakeKeyring{
   216  				auth: []credentialprovider.AuthConfig{
   217  					{
   218  						Username: "default-user",
   219  						Password: "default-password",
   220  					},
   221  				},
   222  			},
   223  			pullSecrets: []v1.Secret{},
   224  			authConfigs: []credentialprovider.AuthConfig{
   225  				{
   226  					Username: "default-user",
   227  					Password: "default-password",
   228  				},
   229  			},
   230  			found: false,
   231  		},
   232  		{
   233  			name:  "with pull secrets and has default keyring",
   234  			image: "test.registry.io",
   235  			defaultKeyring: &fakeKeyring{
   236  				auth: []credentialprovider.AuthConfig{
   237  					{
   238  						Username: "default-user",
   239  						Password: "default-password",
   240  					},
   241  				},
   242  			},
   243  			pullSecrets: []v1.Secret{
   244  				{
   245  					Type: v1.SecretTypeDockerConfigJson,
   246  					Data: map[string][]byte{
   247  						v1.DockerConfigJsonKey: []byte(`{"auths": {"test.registry.io": {"auth": "dXNlcjpwYXNzd29yZA=="}}}`),
   248  					},
   249  				},
   250  			},
   251  			authConfigs: []credentialprovider.AuthConfig{
   252  				{
   253  					Username: "user",
   254  					Password: "password",
   255  				},
   256  				{
   257  					Username: "default-user",
   258  					Password: "default-password",
   259  				},
   260  			},
   261  			found: true,
   262  		},
   263  	}
   264  
   265  	for _, testcase := range testcases {
   266  		t.Run(testcase.name, func(t *testing.T) {
   267  			keyring, err := MakeDockerKeyring(testcase.pullSecrets, testcase.defaultKeyring)
   268  			if err != nil {
   269  				t.Fatalf("error creating secret-based docker keyring: %v", err)
   270  			}
   271  
   272  			authConfigs, found := keyring.Lookup(testcase.image)
   273  			if found != testcase.found {
   274  				t.Logf("actual lookup status: %v", found)
   275  				t.Logf("expected lookup status: %v", testcase.found)
   276  				t.Errorf("unexpected lookup for image: %s", testcase.image)
   277  			}
   278  
   279  			if !reflect.DeepEqual(authConfigs, testcase.authConfigs) {
   280  				t.Logf("actual auth configs: %#v", authConfigs)
   281  				t.Logf("expected auth configs: %#v", testcase.authConfigs)
   282  				t.Error("auth configs did not match")
   283  			}
   284  		})
   285  	}
   286  }
   287
View as plain text